Sending your logs to /dev/null since 1976

MS12-020, The saga continues: exploit code published for the RDP chinese worm leaked from Microsoft?

I was sent this link which is hilarious: http://istherdpexploitoutyet.com/

Has some really short information on the exploit and PoC and obviously who bought it (yes kids ZDI bought this one, gave it to Microsoft and then one of them managed to leak it) but apparently the original exploit code was leaked (complete article HERE)

From the article:

“Chinese hackers have released proof-of-concept code that provides a roadmap to exploit a dangerous RDP (remote desktop protocol) vulnerability that was patched by Microsoft earlier this week.

The publication of the code on a Chinese language forum heightens the urgency to apply Microsoft’s MS12-020 update, which addresses a remote, pre-authentication, network-accessible code execution vulnerability in Microsoft’s implementation of the RDP protocol.”

Well I’m not fluent on Chinese at all, BUT when I went into the website it clearly says on the top:

“0day discount
This BLOG from time to time the market of 0day of exp”

Errr I’m sorry but that does not tell ANYONE to go and patch as the article says, they actually even go further on saying: “Thanks to 360 friends to provide the EXP.” Well apparently 360 guys managed to grab that exploit which apparently has a special signature from the reseracher Luigi Auriemma (@luigi_auriemma)

That is a good practice and I hope it starts out again, watermarking the PoCs so you can see where the leak is, the interesting part is … Who is owned by the chinese? ZDI? or Microsoft? if they leaked that, which others have been leaked?

This bug will end up showing more flaws of handling them and the leaking of it’s PoC than the bug itself!

UPDATE:

On this tweet (https://twitter.com/#!/luigi_auriemma/status/180646548395401216) Luigi Auriemma confirms it was Microsoft the leak.

Luigi Auriemma ‏ @luigi_auriemma
in case isn’t clear yet: rdpclient.exe seems written by Microsoft using the original packet poc I sent to ZDI. MS is the source of the leak